37 posts tagged with "Tutorial"

Zero Trust architecture assumes breach — if you assume attackers are already inside, your priority shifts from pure prevention to detection. STOA generates structured audit events and Prometheus metrics that enable detection of credential abuse, prompt injection attempts, rate abuse, and data exfiltration patterns. This article covers what STOA detects, how to query for attack signals, and a practical incident response playbook.

Most "Hello World" tutorials get you to a running endpoint. This one gets you to a protected endpoint — with rate limiting, authentication, and an audit trail — because that's what production actually requires.

This is the freelancer edition: opinionated, fast, and realistic about what breaks first when you launch.

This checklist implements Zero Trust architecture with STOA Platform in 10 actionable steps. Each step is independently deployable and verifiable. Start from the top — steps 1-3 provide the most immediate security improvement and can be implemented in under an hour.

Zero Trust for API gateways means one thing: never trust, always verify — every request, regardless of network origin, must present verifiable identity and be evaluated against explicit policy before receiving access. This article explains the five Zero Trust principles and how they apply specifically to API gateway design, with concrete examples from STOA Platform's implementation.

Run the complete STOA Platform stack on your local machine using Docker Compose. This tutorial shows you how to spin up the Control Plane API, Console UI, Developer Portal, MCP Gateway, Keycloak, and PostgreSQL — all configured and ready to use in under 10 minutes.

AI gateways require specialized rate limiting approaches that account for token consumption, streaming responses, and variable request costs. Traditional request-per-second limits fail to capture the true resource usage of AI workloads. This guide covers token-aware rate limiting strategies, per-tenant quota management, and implementation patterns for production AI gateways.

The OWASP API Security Top 10 (2023) lists the most critical API security risks. An API gateway like STOA helps address several of these at the infrastructure layer — but not all of them. This article maps each OWASP risk to STOA's controls, with an honest assessment of what requires application-level implementation.

STOA Platform secures AI agent API access through five independent layers: mTLS certificate binding, OAuth 2.1 with PKCE, OPA policy evaluation, AI guardrails, and immutable audit logging. Each layer addresses a distinct threat class. Compromise of any single layer does not grant unauthorized access. This article describes the security architecture, threat model, and design rationale for each layer.

stoactl is the command-line interface for STOA Platform that brings kubectl-style API management to your terminal. Install it with one command, authenticate to your Control Plane API, and manage APIs, subscriptions, and MCP tools without touching the web console—ideal for scripting, CI/CD pipelines, and developers who prefer the terminal.

You've installed STOA. The health check returns 200. Now what?

The gap between "it runs" and "it's production-ready" is where most setups fail. This runbook covers your first 7 days with STOA — the operational habits that prevent 3am surprises, the monitoring that catches issues before your users do, and the hardening steps that separate a demo from a real deployment.